[eternalny1]

SolarWinds themselves it claiming it.

https://www.solarwinds.com/securityadvisory/faq

> Our initial investigations point to an issue in the Orion software build system in which the vulnerability was insert which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion Platform products run.

Under "With these processes in place how was your code compromised?"

[dwheeler]

If the compromise was inserted during the build process, then one countermeasure could have been reproducible builds. Reproducible builds require the source code, but they can verify whether or not the build matches the claimed source code. That would work even after it was signed.

[mehrdadn]

Thanks!